diff --git a/0006-CVE-2021-3524-1.patch b/0006-CVE-2021-3524-1.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f3049837175d180319e52935fe3159b18285f330
--- /dev/null
+++ b/0006-CVE-2021-3524-1.patch
@@ -0,0 +1,36 @@
+From 763aebb94678018f89427137ffbc0c5205b1edc1 Mon Sep 17 00:00:00 2001
+From: Casey Bodley <cbodley@redhat.com>
+Date: Tue, 4 May 2021 08:32:58 -0400
+Subject: [PATCH] rgw: sanitize \r in s3 CORSConfiguration's ExposeHeader
+
+follows up on 1524d3c0c5cb11775313ea1e2bb36a93257947f2 to escape \r as
+well
+
+Fixes: CVE-2021-3524
+
+Reported-by: Sergey Bobrov <Sergey.Bobrov@kaspersky.com>
+Signed-off-by: Casey Bodley <cbodley@redhat.com>
+(cherry picked from commit 87806f48e7a1b8891eb90711f1cedd26f1119aac)
+---
+ src/rgw/rgw_cors.cc | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc
+index 0b3e4f39455..bfe83d6420e 100644
+--- a/src/rgw/rgw_cors.cc
++++ b/src/rgw/rgw_cors.cc
+@@ -148,8 +148,9 @@ void RGWCORSRule::format_exp_headers(string& s) {
+     if (s.length() > 0)
+       s.append(",");
+     // these values are sent to clients in a 'Access-Control-Expose-Headers'
+-    // response header, so we escape '\n' to avoid header injection
+-    boost::replace_all_copy(std::back_inserter(s), header, "\n", "\\n");
++    // response header, so we escape '\n' and '\r' to avoid header injection
++    std::string tmp = boost::replace_all_copy(header, "\n", "\\n");
++    boost::replace_all_copy(std::back_inserter(s), tmp, "\r", "\\r");
+   }
+ }
+ 
+-- 
+2.23.0
+
diff --git a/ceph.spec b/ceph.spec
index 16152fac8910dd2d6e3d5501af3b369b1d89858f..04488f7f9a05a6976fcfbca84b1d4411e48039b2 100644
--- a/ceph.spec
+++ b/ceph.spec
@@ -110,7 +110,7 @@
 #################################################################################
 Name:		ceph
 Version:	14.2.15
-Release:	4%{?dist}
+Release:	5%{?dist}
 %if 0%{?fedora} || 0%{?rhel} || 0%{?openEuler}
 Epoch:		2
 %endif
@@ -135,6 +135,7 @@ Patch2:	0002-CVE-2020-27781-2.patch
 Patch3:	0003-CVE-2020-27781-3.patch
 Patch4:	0004-CVE-2020-27781-4.patch
 Patch5:	0005-CVE-2020-27781-5.patch
+Patch6:	0006-CVE-2021-3524-1.patch
 
 %if 0%{?suse_version}
 # _insert_obs_source_lines_here
@@ -2042,6 +2043,9 @@ exit 0
 
 
 %changelog
+* Mon Jul 26 2021 chixinze <xmdxcxz@gmail.com> - 1:14.2.15-5
+- fix CVE-2021-3524
+
 * Sun Jul 18 2021 chixinze <xmdxcxz@gmail.com> - 1:14.2.15-4
 - fix CVE-2020-27781